Best Way To Restrict SSH/Telnet On Cisco IOS XR

For security reason, you are recommended to restrict remote access to your network via SSH or Telnet by allowing a certain whitelist IP addresses in order to prevent brute-force attack. If you own a Cisco IOS XR, you are coming to the right place. Here, we provide you the best and recommended way to secure your Cisco IOS XR.  There are two ways that we can do to accomplish this.

1. Using ACL (Not Preferred Method)

This is how to apply the access-class a-la IOS:

line default
 access-class ingress MYACL

The line template default needs to be associated with your VTY pool or SSH pool right like this:

vty-pool default 0 4 line-template default

And of course, Telnet daemon needs to run:

telnet vrf default ipv4 server max-servers 4

Example Configuration:
ipv4 access-list VTY-ACL
 10 permit ipv4 any
 20 deny   ipv4 any any log
ipv6 access-list VTY-ACL
 10 permit ipv6 2001:DB8::/32 any
 20 deny   ipv6 any any log
vty-pool default 0 10
line default
 access-class ingress VTY-ACL

The reason why this is not preferred is because all the traffic received for telnet is processed by the hardware on the LC and sent to the RP. Then goes through all the forwarding chain until Telnet verifies it against the ACL and says OK deny.

2. Using MPP (Recommended Method)

Using MPP, which is hardware based, we can drop packets immediately in the hardware so they are not further forwarded and saves system resources and provides better protection.

Example Configuration:

In below case, we enable only SSH for remote access and disabled Telnet which is consider as insecure protocol.

line default
 transport input ssh
   interface TenGigE0/0/0/0
    allow SSH peer
     address ipv4
     address ipv4
     address ipv6 1234:abcd::/32

Also, if you are having multiple VRFs configured on your system, using below command to enable SSH for specific VRF.

ssh server vrf TRANSIT
ssh server vrf MANAGEMENT

And that’s it!! Now you secure your Cisco XR from brute-force attack with the recommended way.

Leave a Reply

Your email address will not be published. Required fields are marked *